EBA Publishes Guidelines on PSD2 Fallback Mechanism

The European Banking Authority (EBA) this month published its final
Guidelines on the conditions that account servicing payment service
providers (ASPSPs) must meet in order to be exempted from the
obligation to implement the fallback mechanism on strong customer
authentication and common and secure communication under PSD2.

The Revised Payments Services Directive (PSD2) is already law in the
European Union but the majority of its provisions will not apply until
14 September 2019. It specifies that ASPSPs must either enable third
party access to data through the customer’s normal online banking
websites, or alternatively develop a new ‘dedicated interface’ for
that purpose.

Under PSD2, banks will be required to put in place a so-called
“fallback mechanism”, which Third Party Providers (TPPs) can rely on
if dedicated interfaces are unavailable for more than 30 seconds, or
if they did not meet the general operational requirements set out in
the RTS. Such a fallback mechanism will consist of opening up the
ASPSP’s user-facing interface as a secure communication channel for
payment initiation and account information services.

The final Guidelines specify the conditions set out in Article 33(6)
of the PSD2 Regulatory Technical Standards (RTS) in order to be
exempted from the obligation to implement the fallback mechanism.
These conditions, which were included by the European Commission in
the draft RTS, raised practical questions and requests for
clarifications by market participants as part of a consultation period
begun in June of this year.

The EBA has amended the draft Guidelines in a number of areas. It
clarified that for the purpose of the exemption ASPSPs will need to
show TPPs’ involvement in the design and testing of their dedicated
interfaces and provide their national regulator with the feedback they
received from TPPs that participated in the testing, together with an
explanation of how the ASPSP addressed any issues identified during
the testing.

With regard to the obligation for banks to publish data on the
availability and performance of their interfaces, the final Guidelines
clarify they should publish such data in a way that enables comparison
of the daily availability and performance of the dedicated interface
with those of the interfaces used by the bank’s own customers.

With such demanding fallback exemptions and extensive technical
projects to be completed, it seems that banks which do not already
have live APIs in the market will struggle be fully compliant from the
time that the new rules come into force in September 2019.